<html><body>
<style>

body, h1, h2, h3, div, span, p, pre, a {
  margin: 0;
  padding: 0;
  border: 0;
  font-weight: inherit;
  font-style: inherit;
  font-size: 100%;
  font-family: inherit;
  vertical-align: baseline;
}

body {
  font-size: 13px;
  padding: 1em;
}

h1 {
  font-size: 26px;
  margin-bottom: 1em;
}

h2 {
  font-size: 24px;
  margin-bottom: 1em;
}

h3 {
  font-size: 20px;
  margin-bottom: 1em;
  margin-top: 1em;
}

pre, code {
  line-height: 1.5;
  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}

pre {
  margin-top: 0.5em;
}

h1, h2, h3, p {
  font-family: Arial, sans serif;
}

h1, h2, h3 {
  border-bottom: solid #CCC 1px;
}

.toc_element {
  margin-top: 0.5em;
}

.firstline {
  margin-left: 2 em;
}

.method  {
  margin-top: 1em;
  border: solid 1px #CCC;
  padding: 1em;
  background: #EEE;
}

.details {
  font-weight: bold;
  font-size: 14px;
}

</style>

<h1><a href="androidmanagement_v1.html">Android Management API</a> . <a href="androidmanagement_v1.enterprises.html">enterprises</a> . <a href="androidmanagement_v1.enterprises.policies.html">policies</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
  <code><a href="#close">close()</a></code></p>
<p class="firstline">Close httplib2 connections.</p>
<p class="toc_element">
  <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
<p class="firstline">Deletes a policy. This operation is only permitted if no devices are currently referencing the policy.</p>
<p class="toc_element">
  <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
<p class="firstline">Gets a policy.</p>
<p class="toc_element">
  <code><a href="#list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists policies for a given enterprise.</p>
<p class="toc_element">
  <code><a href="#list_next">list_next()</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
  <code><a href="#modifyPolicyApplications">modifyPolicyApplications(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates or creates applications in a policy.</p>
<p class="toc_element">
  <code><a href="#patch">patch(name, body=None, updateMask=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates or creates a policy.</p>
<p class="toc_element">
  <code><a href="#removePolicyApplications">removePolicyApplications(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Removes applications in a policy.</p>
<h3>Method Details</h3>
<div class="method">
    <code class="details" id="close">close()</code>
  <pre>Close httplib2 connections.</pre>
</div>

<div class="method">
    <code class="details" id="delete">delete(name, x__xgafv=None)</code>
  <pre>Deletes a policy. This operation is only permitted if no devices are currently referencing the policy.

Args:
  name: string, The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
}</pre>
</div>

<div class="method">
    <code class="details" id="get">get(name, x__xgafv=None)</code>
  <pre>Gets a policy.

Args:
  name: string, The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
  &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
    &quot;A String&quot;,
  ],
  &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
  &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
  &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
    &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
    &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
    &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
    &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
    &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
    &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
      &quot;A String&quot;,
    ],
    &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
  },
  &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
    &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
    &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
  },
  &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
    &quot;A String&quot;,
  ],
  &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
  &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
  &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
    { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
      &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
        &quot;A String&quot;,
      ],
      &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
      &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
      &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
      &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
      &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
        &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
      },
      &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
      &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
        &quot;A String&quot;,
      ],
      &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
      &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
        &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
        &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
          &quot;A String&quot;,
        ],
      },
      &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
        { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
          &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
          &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
          &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
        },
      ],
      &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
      &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
      &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
      &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
      },
      &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
        &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
        &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
      },
      &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
      &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
      &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
        { # Configuration for an Android permission and its grant state.
          &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
          &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
        },
      ],
      &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
      &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
        { # Role an app can have.
          &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
        },
      ],
      &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
        { # The application signing key certificate.
          &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
        },
      ],
      &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
      &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
    },
  ],
  &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
  &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
  &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
  &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
  &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
  &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
  &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
  &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
  &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
  &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
  &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
    { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
      &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
        &quot;A String&quot;,
      ],
      &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
      &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
    },
  ],
  &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
    { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
      &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
        &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
      },
      &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
      &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
        &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
        &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
      },
      &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
        &quot;A String&quot;,
      ],
    },
  ],
  &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
  &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
  &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
  &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
    &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
    &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
    &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
    &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
    &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
  },
  &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
  &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
  &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
    { # The default application setting for a DefaultApplicationType.
      &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
        &quot;A String&quot;,
      ],
      &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
      &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
        { # Information about the application to be set as the default.
          &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
        },
      ],
    },
  ],
  &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
  &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
    &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
      &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
        { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
          &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
          &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
          &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
            &quot;A String&quot;,
          ],
          &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
          &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
          &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
          &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
          &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
          &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
            &quot;A String&quot;,
          ],
          &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
          &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
          &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
          &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
          &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
          &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
        },
      ],
      &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
    },
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
    &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
    &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
      &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
      &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
        { # Individual preferential network service configuration.
          &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
          &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
          &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
        },
      ],
    },
    &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
    &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
    &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
    &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
      &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
        { # Wi-Fi roaming setting.
          &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
        },
      ],
    },
    &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
      &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
      &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
        { # Represents a Wi-Fi SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
        },
      ],
    },
  },
  &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
    &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
    &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
    &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
    &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
    &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
  },
  &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
    &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
      &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
    },
    &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
      &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
    },
  },
  &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
  &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
  &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
  &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
  &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
    &quot;A String&quot;,
  ],
  &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
  &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
  &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
  &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
  &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
    &quot;A String&quot;,
  ],
  &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
  &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
    &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
    &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
    &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
    &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
    &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
  },
  &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
  &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
  &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
  &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
  &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
  &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
  &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
  &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
  &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
  &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
  &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
    { # This feature is not generally available.
      &quot;certificateReferences&quot;: [ # This feature is not generally available.
        &quot;A String&quot;,
      ],
      &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
        &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
        &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
          &quot;A String&quot;,
        ],
        &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
      },
    },
  ],
  &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
  },
  &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
  &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
  &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
    { # Requirements for the password used to unlock a device.
      &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
      &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
      &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
      &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
      &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
      &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
      &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
      &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
    },
  ],
  &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
    &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
    &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
    &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
    &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
    &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
    &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
    &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
    &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
  },
  &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
    { # Configuration for an Android permission and its grant state.
      &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
      &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
    },
  ],
  &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
    { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
      &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
        &quot;A String&quot;,
      ],
      &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
        &quot;A String&quot;,
      ],
      &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
    },
  ],
  &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
    &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
      &quot;A String&quot;,
    ],
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
    &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
    &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
    &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
      { # Policies for apps in the personal profile of a company-owned device with a work profile.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
      },
    ],
    &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
    &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
    &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
  },
  &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
  &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
    { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
      &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
        &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
        &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
      },
      &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
      &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
        &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
        &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
      },
    },
  ],
  &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
  &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
  &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
  &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
    &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
      &quot;A String&quot;,
    ],
    &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
    &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
    &quot;port&quot;: 42, # The port of the direct proxy.
  },
  &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
  &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
  &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
  &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
  &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
  &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
    { # An action executed during setup.
      &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
        &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
      },
      &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
    },
  ],
  &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
  &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
  &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
  &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
  &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
    &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
      &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
    },
    &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
    &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
    &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
    &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
    &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
    &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
    &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
    &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
  },
  &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
    &quot;A String&quot;,
  ],
  &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
    &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
    &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
      { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
        &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
        &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
      },
    ],
    &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
    &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
  },
  &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
  &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
  &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
  &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
    &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
      &quot;A String&quot;,
    ],
    &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
      &quot;A String&quot;,
    ],
  },
  &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
  &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
  &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
  &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
  &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
  &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
  &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
    &quot;A String&quot;,
  ],
  &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
    &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
    &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
  },
}</pre>
</div>

<div class="method">
    <code class="details" id="list">list(parent, pageSize=None, pageToken=None, x__xgafv=None)</code>
  <pre>Lists policies for a given enterprise.

Args:
  parent: string, The name of the enterprise in the form enterprises/{enterpriseId}. (required)
  pageSize: integer, The requested page size. The actual page size may be fixed to a min or max value.
  pageToken: string, A token identifying a page of results returned by the server.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response to a request to list policies for a given enterprise.
  &quot;nextPageToken&quot;: &quot;A String&quot;, # If there are more results, a token to retrieve next page of results.
  &quot;policies&quot;: [ # The list of policies.
    { # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
      &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
        &quot;A String&quot;,
      ],
      &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
      &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
      &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
        &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
        &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
        &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
        &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
        &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
        &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
          &quot;A String&quot;,
        ],
        &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
      },
      &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
        &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
      },
      &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
        &quot;A String&quot;,
      ],
      &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
      &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
      &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
        { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
          &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
            &quot;A String&quot;,
          ],
          &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
          &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
          &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
          &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
          &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
            &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
          },
          &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
          &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
            &quot;A String&quot;,
          ],
          &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
          &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
            &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
            &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
              &quot;A String&quot;,
            ],
          },
          &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
            { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
              &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
              &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
              &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
            },
          ],
          &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
          &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
          &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
          &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
            &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
          },
          &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
            &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
            &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
          },
          &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
          &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
          &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
            { # Configuration for an Android permission and its grant state.
              &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
              &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
            },
          ],
          &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
          &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
            { # Role an app can have.
              &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
            },
          ],
          &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
            { # The application signing key certificate.
              &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
            },
          ],
          &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
          &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
        },
      ],
      &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
      &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
      &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
      &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
      &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
      &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
      &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
      &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
      &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
      &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
      &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
        { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
          &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
            &quot;A String&quot;,
          ],
          &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
          &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
        },
      ],
      &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
        { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
          &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
            &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
          },
          &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
          &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
            &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
            &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
            &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
          },
          &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
            &quot;A String&quot;,
          ],
        },
      ],
      &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
      &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
      &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
      &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
        &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
        &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
        &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
        &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
          &quot;packageNames&quot;: [ # A list of package names.
            &quot;A String&quot;,
          ],
        },
        &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
        &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
      },
      &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
      &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
      &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
        { # The default application setting for a DefaultApplicationType.
          &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
            &quot;A String&quot;,
          ],
          &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
          &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
            { # Information about the application to be set as the default.
              &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
            },
          ],
        },
      ],
      &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
      &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
        &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
          &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
            { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
              &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
              &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
              &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
                &quot;A String&quot;,
              ],
              &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
              &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
              &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
              &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
              &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
              &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
              &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
              &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
              &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
              &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
                &quot;A String&quot;,
              ],
              &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
              &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
              &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
              &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
              &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
              &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
              &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
            },
          ],
          &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
        },
        &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
        &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
        &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
          &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
          &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
            { # Individual preferential network service configuration.
              &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
              &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
              &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
            },
          ],
        },
        &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
        &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
        &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
        &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
          &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
            { # Wi-Fi roaming setting.
              &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
              &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
            },
          ],
        },
        &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
          &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
          &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
            { # Represents a Wi-Fi SSID.
              &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
            },
          ],
        },
      },
      &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
        &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
        &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
        &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
        &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
        &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
      },
      &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
        &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
          &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
          &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
        },
        &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
          &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
          &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
        },
      },
      &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
      &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
      &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
      &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
      &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
        &quot;A String&quot;,
      ],
      &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
      &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
      &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
      &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
      &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
        &quot;A String&quot;,
      ],
      &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
      &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
        &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
        &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
        &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
        &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
        &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
      },
      &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
      &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
      &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
      &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
      &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
      &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
      &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
      &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
      &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
      &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
      &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
        { # This feature is not generally available.
          &quot;certificateReferences&quot;: [ # This feature is not generally available.
            &quot;A String&quot;,
          ],
          &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
            &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
            &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
              &quot;A String&quot;,
            ],
            &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
          },
        },
      ],
      &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
      },
      &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
      &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
      &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
        { # Requirements for the password used to unlock a device.
          &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
          &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
          &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
          &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
          &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
          &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
          &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
          &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
          &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
        },
      ],
      &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
        &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
        &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
        &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
        &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
        &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
        &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
        &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
        &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
      },
      &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
        { # Configuration for an Android permission and its grant state.
          &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
          &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
        },
      ],
      &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
        &quot;packageNames&quot;: [ # A list of package names.
          &quot;A String&quot;,
        ],
      },
      &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
        &quot;packageNames&quot;: [ # A list of package names.
          &quot;A String&quot;,
        ],
      },
      &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
        { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
          &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
            &quot;A String&quot;,
          ],
          &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
            &quot;A String&quot;,
          ],
          &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
        },
      ],
      &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
        &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
          &quot;A String&quot;,
        ],
        &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
        &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
        &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
        &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
          { # Policies for apps in the personal profile of a company-owned device with a work profile.
            &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
            &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
          },
        ],
        &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
        &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
        &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
      },
      &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
      &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
        { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
          &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
            &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
            &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
          },
          &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
          &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
            &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
            &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
          },
        },
      ],
      &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
      &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
      &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
      &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
        &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
          &quot;A String&quot;,
        ],
        &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
        &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
        &quot;port&quot;: 42, # The port of the direct proxy.
      },
      &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
      &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
      &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
      &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
      &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
      &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
        { # An action executed during setup.
          &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
            &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
            &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
          &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
            &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
          },
          &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
            &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
            &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
              &quot;a_key&quot;: &quot;A String&quot;,
            },
          },
        },
      ],
      &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
      &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
      &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
      &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
      &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
        &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
          &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
        },
        &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
        &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
        &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
        &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
        &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
        &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
        &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
        &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
        &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
        &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
        &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
      },
      &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
        &quot;A String&quot;,
      ],
      &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
        &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
        &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
          { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
            &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
            },
            &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
              &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
              &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
              &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
            },
          },
        ],
        &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
        &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
      },
      &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
      &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
      &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
      &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
        &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
          &quot;A String&quot;,
        ],
        &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
          &quot;A String&quot;,
        ],
      },
      &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
      &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
      &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
      &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
      &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
      &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
      &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
        &quot;A String&quot;,
      ],
      &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
        &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
        &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
      },
    },
  ],
}</pre>
</div>

<div class="method">
    <code class="details" id="list_next">list_next()</code>
  <pre>Retrieves the next page of results.

        Args:
          previous_request: The request for the previous page. (required)
          previous_response: The response from the request for the previous page. (required)

        Returns:
          A request object that you can call &#x27;execute()&#x27; on to request the next
          page. Returns None if there are no more items in the collection.
        </pre>
</div>

<div class="method">
    <code class="details" id="modifyPolicyApplications">modifyPolicyApplications(name, body=None, x__xgafv=None)</code>
  <pre>Updates or creates applications in a policy.

Args:
  name: string, Required. The name of the Policy containing the ApplicationPolicy objects to be updated, in the form enterprises/{enterpriseId}/policies/{policyId}. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request to update or create ApplicationPolicy objects in the given Policy.
  &quot;changes&quot;: [ # Required. The changes to be made to the ApplicationPolicy objects. There must be at least one ApplicationPolicyChange.
    { # A change to be made to a single ApplicationPolicy object.
      &quot;application&quot;: { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000. # If ApplicationPolicy.packageName matches an existing ApplicationPolicy object within the Policy being modified, then that object will be updated. Otherwise, it will be added to the end of the Policy.applications.
        &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
          &quot;A String&quot;,
        ],
        &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
        &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
        &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
        &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
        &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
          &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
        },
        &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
        &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
          &quot;A String&quot;,
        ],
        &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
        &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
          &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
          &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
            &quot;A String&quot;,
          ],
        },
        &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
          { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
            &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
            &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
            &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
          },
        ],
        &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
        &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
          &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
        },
        &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
          &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
          &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
        },
        &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
        &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
          { # Configuration for an Android permission and its grant state.
            &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
            &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
          },
        ],
        &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
        &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
          { # Role an app can have.
            &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
          },
        ],
        &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
          { # The application signing key certificate.
            &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
          },
        ],
        &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
        &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
      },
      &quot;updateMask&quot;: &quot;A String&quot;, # The field mask indicating the fields to update. If omitted, all modifiable fields are updated.
    },
  ],
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response to a request to update or create ApplicationPolicy objects in the given policy.
  &quot;policy&quot;: { # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it. # The updated policy.
    &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
      &quot;A String&quot;,
    ],
    &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
    &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
    &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
      &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
      &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
      &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
      &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
      &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
      &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
        &quot;A String&quot;,
      ],
      &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
    },
    &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
      &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
      &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
    },
    &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
      &quot;A String&quot;,
    ],
    &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
    &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
    &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
      { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
        &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
          &quot;A String&quot;,
        ],
        &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
        &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
        &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
        &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
        &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
          &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
        },
        &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
        &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
          &quot;A String&quot;,
        ],
        &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
        &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
          &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
          &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
            &quot;A String&quot;,
          ],
        },
        &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
          { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
            &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
            &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
            &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
          },
        ],
        &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
        &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
          &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
        },
        &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
          &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
          &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
        },
        &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
        &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
          { # Configuration for an Android permission and its grant state.
            &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
            &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
          },
        ],
        &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
        &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
          { # Role an app can have.
            &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
          },
        ],
        &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
          { # The application signing key certificate.
            &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
          },
        ],
        &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
        &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
      },
    ],
    &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
    &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
    &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
    &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
    &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
    &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
    &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
    &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
    &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
    &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
    &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
      { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
        &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
          &quot;A String&quot;,
        ],
        &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
        &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
      },
    ],
    &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
      { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
        &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
          &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
        },
        &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
        &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
          &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
          &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
          &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
        },
        &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
          &quot;A String&quot;,
        ],
      },
    ],
    &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
    &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
    &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
    &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
      &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
      &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
      &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
      &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
        &quot;packageNames&quot;: [ # A list of package names.
          &quot;A String&quot;,
        ],
      },
      &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
      &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
    },
    &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
    &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
    &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
      { # The default application setting for a DefaultApplicationType.
        &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
          &quot;A String&quot;,
        ],
        &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
        &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
          { # Information about the application to be set as the default.
            &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
          },
        ],
      },
    ],
    &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
    &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
      &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
        &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
          { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
            &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
            &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
            &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
              &quot;A String&quot;,
            ],
            &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
            &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
            &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
            &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
            &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
            &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
            &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
            &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
              &quot;A String&quot;,
            ],
            &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
            &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
            &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
            &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
            &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
            &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
          },
        ],
        &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
      },
      &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
      &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
      &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
        &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
        &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
          { # Individual preferential network service configuration.
            &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
            &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
            &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
          },
        ],
      },
      &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
      &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
      &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
      &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
        &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
          { # Wi-Fi roaming setting.
            &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
            &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
          },
        ],
      },
      &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
        &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
        &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
          { # Represents a Wi-Fi SSID.
            &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
          },
        ],
      },
    },
    &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
      &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
      &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
      &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
      &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
      &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
    },
    &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
      &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
        &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
        &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
      },
      &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
        &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
        &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
      },
    },
    &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
    &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
    &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
    &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
    &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
      &quot;A String&quot;,
    ],
    &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
    &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
    &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
    &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
    &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
      &quot;A String&quot;,
    ],
    &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
    &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
      &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
      &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
      &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
      &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
      &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
    },
    &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
    &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
    &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
    &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
    &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
    &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
    &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
    &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
    &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
    &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
    &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
      { # This feature is not generally available.
        &quot;certificateReferences&quot;: [ # This feature is not generally available.
          &quot;A String&quot;,
        ],
        &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
          &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
          &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
            &quot;A String&quot;,
          ],
          &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
        },
      },
    ],
    &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
      &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
    },
    &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
    &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
    &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
      { # Requirements for the password used to unlock a device.
        &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
        &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
        &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
        &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
        &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
        &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
        &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
        &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
      },
    ],
    &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
      &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
      &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
      &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
      &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
      &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
      &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
      &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
      &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
    },
    &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
      { # Configuration for an Android permission and its grant state.
        &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
        &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
      },
    ],
    &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
      { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
        &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
          &quot;A String&quot;,
        ],
        &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
          &quot;A String&quot;,
        ],
        &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
      },
    ],
    &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
      &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
        &quot;A String&quot;,
      ],
      &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
      &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
      &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
      &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
        { # Policies for apps in the personal profile of a company-owned device with a work profile.
          &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
          &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
        },
      ],
      &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
      &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
      &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
    },
    &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
    &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
      { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
        &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
          &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
          &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
        },
        &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
        &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
          &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
          &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
        },
      },
    ],
    &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
    &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
    &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
    &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
      &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
        &quot;A String&quot;,
      ],
      &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
      &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
      &quot;port&quot;: 42, # The port of the direct proxy.
    },
    &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
    &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
    &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
    &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
    &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
    &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
      { # An action executed during setup.
        &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
          &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
          &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
        },
        &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
          &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
        },
        &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
          &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
          &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
        },
      },
    ],
    &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
    &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
    &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
    &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
    &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
      &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
        &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
      },
      &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
      &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
      &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
      &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
      &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
      &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
      &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
      &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
    },
    &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
      &quot;A String&quot;,
    ],
    &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
      &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
      &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
        { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
          &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
          },
          &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
          },
        },
      ],
      &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
      &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
    },
    &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
    &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
    &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
    &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
      &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
        &quot;A String&quot;,
      ],
      &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
        &quot;A String&quot;,
      ],
    },
    &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
    &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
    &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
    &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
    &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
    &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
    &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
      &quot;A String&quot;,
    ],
    &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
      &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
      &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
    },
  },
}</pre>
</div>

<div class="method">
    <code class="details" id="patch">patch(name, body=None, updateMask=None, x__xgafv=None)</code>
  <pre>Updates or creates a policy.

Args:
  name: string, The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}. (required)
  body: object, The request body.
    The object takes the form of:

{ # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
  &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
    &quot;A String&quot;,
  ],
  &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
  &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
  &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
    &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
    &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
    &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
    &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
    &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
    &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
      &quot;A String&quot;,
    ],
    &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
  },
  &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
    &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
    &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
  },
  &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
    &quot;A String&quot;,
  ],
  &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
  &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
  &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
    { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
      &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
        &quot;A String&quot;,
      ],
      &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
      &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
      &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
      &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
      &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
        &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
      },
      &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
      &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
        &quot;A String&quot;,
      ],
      &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
      &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
        &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
        &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
          &quot;A String&quot;,
        ],
      },
      &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
        { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
          &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
          &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
          &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
        },
      ],
      &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
      &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
      &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
      &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
      },
      &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
        &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
        &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
      },
      &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
      &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
      &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
        { # Configuration for an Android permission and its grant state.
          &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
          &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
        },
      ],
      &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
      &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
        { # Role an app can have.
          &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
        },
      ],
      &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
        { # The application signing key certificate.
          &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
        },
      ],
      &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
      &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
    },
  ],
  &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
  &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
  &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
  &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
  &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
  &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
  &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
  &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
  &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
  &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
  &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
    { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
      &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
        &quot;A String&quot;,
      ],
      &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
      &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
    },
  ],
  &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
    { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
      &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
        &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
      },
      &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
      &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
        &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
        &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
      },
      &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
        &quot;A String&quot;,
      ],
    },
  ],
  &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
  &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
  &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
  &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
    &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
    &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
    &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
    &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
    &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
  },
  &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
  &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
  &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
    { # The default application setting for a DefaultApplicationType.
      &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
        &quot;A String&quot;,
      ],
      &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
      &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
        { # Information about the application to be set as the default.
          &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
        },
      ],
    },
  ],
  &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
  &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
    &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
      &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
        { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
          &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
          &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
          &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
            &quot;A String&quot;,
          ],
          &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
          &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
          &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
          &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
          &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
          &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
            &quot;A String&quot;,
          ],
          &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
          &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
          &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
          &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
          &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
          &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
        },
      ],
      &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
    },
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
    &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
    &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
      &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
      &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
        { # Individual preferential network service configuration.
          &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
          &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
          &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
        },
      ],
    },
    &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
    &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
    &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
    &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
      &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
        { # Wi-Fi roaming setting.
          &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
        },
      ],
    },
    &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
      &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
      &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
        { # Represents a Wi-Fi SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
        },
      ],
    },
  },
  &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
    &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
    &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
    &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
    &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
    &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
  },
  &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
    &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
      &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
    },
    &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
      &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
    },
  },
  &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
  &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
  &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
  &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
  &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
    &quot;A String&quot;,
  ],
  &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
  &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
  &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
  &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
  &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
    &quot;A String&quot;,
  ],
  &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
  &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
    &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
    &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
    &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
    &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
    &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
  },
  &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
  &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
  &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
  &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
  &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
  &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
  &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
  &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
  &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
  &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
  &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
    { # This feature is not generally available.
      &quot;certificateReferences&quot;: [ # This feature is not generally available.
        &quot;A String&quot;,
      ],
      &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
        &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
        &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
          &quot;A String&quot;,
        ],
        &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
      },
    },
  ],
  &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
  },
  &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
  &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
  &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
    { # Requirements for the password used to unlock a device.
      &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
      &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
      &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
      &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
      &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
      &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
      &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
      &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
    },
  ],
  &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
    &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
    &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
    &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
    &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
    &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
    &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
    &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
    &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
  },
  &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
    { # Configuration for an Android permission and its grant state.
      &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
      &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
    },
  ],
  &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
    { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
      &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
        &quot;A String&quot;,
      ],
      &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
        &quot;A String&quot;,
      ],
      &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
    },
  ],
  &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
    &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
      &quot;A String&quot;,
    ],
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
    &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
    &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
    &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
      { # Policies for apps in the personal profile of a company-owned device with a work profile.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
      },
    ],
    &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
    &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
    &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
  },
  &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
  &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
    { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
      &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
        &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
        &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
      },
      &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
      &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
        &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
        &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
      },
    },
  ],
  &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
  &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
  &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
  &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
    &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
      &quot;A String&quot;,
    ],
    &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
    &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
    &quot;port&quot;: 42, # The port of the direct proxy.
  },
  &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
  &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
  &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
  &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
  &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
  &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
    { # An action executed during setup.
      &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
        &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
      },
      &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
    },
  ],
  &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
  &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
  &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
  &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
  &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
    &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
      &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
    },
    &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
    &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
    &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
    &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
    &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
    &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
    &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
    &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
  },
  &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
    &quot;A String&quot;,
  ],
  &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
    &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
    &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
      { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
        &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
        &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
      },
    ],
    &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
    &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
  },
  &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
  &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
  &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
  &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
    &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
      &quot;A String&quot;,
    ],
    &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
      &quot;A String&quot;,
    ],
  },
  &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
  &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
  &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
  &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
  &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
  &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
  &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
    &quot;A String&quot;,
  ],
  &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
    &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
    &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
  },
}

  updateMask: string, The field mask indicating the fields to update. If not set, all modifiable fields will be modified.
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it.
  &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
    &quot;A String&quot;,
  ],
  &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
  &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
  &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
    &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
    &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
    &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
    &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
    &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
    &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
      &quot;A String&quot;,
    ],
    &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
  },
  &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
    &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
    &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
  },
  &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
    &quot;A String&quot;,
  ],
  &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
  &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
  &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
    { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
      &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
        &quot;A String&quot;,
      ],
      &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
      &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
      &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
      &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
      &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
        &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
      },
      &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
      &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
        &quot;A String&quot;,
      ],
      &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
      &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
        &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
        &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
          &quot;A String&quot;,
        ],
      },
      &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
        { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
          &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
          &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
          &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
        },
      ],
      &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
      &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
      &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
      &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
        &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
      },
      &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
        &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
        &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
      },
      &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
      &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
      &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
        { # Configuration for an Android permission and its grant state.
          &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
          &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
        },
      ],
      &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
      &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
        { # Role an app can have.
          &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
        },
      ],
      &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
        { # The application signing key certificate.
          &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
        },
      ],
      &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
      &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
    },
  ],
  &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
  &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
  &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
  &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
  &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
  &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
  &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
  &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
  &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
  &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
  &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
    { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
      &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
        &quot;A String&quot;,
      ],
      &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
      &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
    },
  ],
  &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
    { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
      &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
        &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
      },
      &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
      &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
        &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
        &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
      },
      &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
        &quot;A String&quot;,
      ],
    },
  ],
  &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
  &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
  &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
  &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
    &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
    &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
    &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
    &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
    &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
  },
  &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
  &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
  &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
    { # The default application setting for a DefaultApplicationType.
      &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
        &quot;A String&quot;,
      ],
      &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
      &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
        { # Information about the application to be set as the default.
          &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
        },
      ],
    },
  ],
  &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
  &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
    &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
      &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
        { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
          &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
          &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
          &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
            &quot;A String&quot;,
          ],
          &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
          &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
          &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
          &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
          &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
          &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
          &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
            &quot;A String&quot;,
          ],
          &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
          &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
          &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
          &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
          &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
          &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
          &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
        },
      ],
      &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
    },
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
    &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
    &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
      &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
      &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
        { # Individual preferential network service configuration.
          &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
          &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
          &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
        },
      ],
    },
    &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
    &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
    &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
    &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
      &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
        { # Wi-Fi roaming setting.
          &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
        },
      ],
    },
    &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
      &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
      &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
        { # Represents a Wi-Fi SSID.
          &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
        },
      ],
    },
  },
  &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
    &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
    &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
    &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
    &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
    &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
  },
  &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
    &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
      &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
    },
    &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
      &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
      &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
    },
  },
  &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
  &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
  &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
  &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
  &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
    &quot;A String&quot;,
  ],
  &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
  &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
  &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
  &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
  &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
    &quot;A String&quot;,
  ],
  &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
  &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
    &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
    &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
    &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
    &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
    &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
  },
  &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
  &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
  &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
  &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
  &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
  &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
  &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
  &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
  &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
  &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
  &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
    { # This feature is not generally available.
      &quot;certificateReferences&quot;: [ # This feature is not generally available.
        &quot;A String&quot;,
      ],
      &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
        &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
        &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
          &quot;A String&quot;,
        ],
        &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
      },
    },
  ],
  &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
    &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
  },
  &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
  &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
  &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
    { # Requirements for the password used to unlock a device.
      &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
      &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
      &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
      &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
      &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
      &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
      &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
      &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
    },
  ],
  &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
    &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
    &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
    &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
    &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
    &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
    &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
    &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
    &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
    &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
  },
  &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
    { # Configuration for an Android permission and its grant state.
      &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
      &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
    },
  ],
  &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
    &quot;packageNames&quot;: [ # A list of package names.
      &quot;A String&quot;,
    ],
  },
  &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
    { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
      &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
        &quot;A String&quot;,
      ],
      &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
        &quot;A String&quot;,
      ],
      &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
    },
  ],
  &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
    &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
      &quot;A String&quot;,
    ],
    &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
    &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
    &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
    &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
      { # Policies for apps in the personal profile of a company-owned device with a work profile.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
      },
    ],
    &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
    &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
    &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
  },
  &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
  &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
    { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
      &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
        &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
        &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
      },
      &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
      &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
        &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
        &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
      },
    },
  ],
  &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
  &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
  &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
  &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
    &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
      &quot;A String&quot;,
    ],
    &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
    &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
    &quot;port&quot;: 42, # The port of the direct proxy.
  },
  &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
  &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
  &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
  &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
  &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
  &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
    { # An action executed during setup.
      &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
      &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
        &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
      },
      &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
        &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
        &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
          &quot;a_key&quot;: &quot;A String&quot;,
        },
      },
    },
  ],
  &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
  &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
    &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
    &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
      &quot;a_key&quot;: &quot;A String&quot;,
    },
  },
  &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
  &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
  &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
  &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
    &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
      &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
    },
    &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
    &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
    &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
    &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
    &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
    &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
    &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
    &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
    &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
  },
  &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
    &quot;A String&quot;,
  ],
  &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
    &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
    &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
      { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
        &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
        &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
          &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
          &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
          &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
        },
      },
    ],
    &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
    &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
  },
  &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
  &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
  &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
  &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
    &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
      &quot;A String&quot;,
    ],
    &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
      &quot;A String&quot;,
    ],
  },
  &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
  &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
  &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
  &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
  &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
  &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
  &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
    &quot;A String&quot;,
  ],
  &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
    &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
    &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
  },
}</pre>
</div>

<div class="method">
    <code class="details" id="removePolicyApplications">removePolicyApplications(name, body=None, x__xgafv=None)</code>
  <pre>Removes applications in a policy.

Args:
  name: string, Required. The name of the policy containing the ApplicationPolicy objects to be removed, in the form enterprises/{enterpriseId}/policies/{policyId}. (required)
  body: object, The request body.
    The object takes the form of:

{ # Request to remove ApplicationPolicy objects in the given policy.
  &quot;packageNames&quot;: [ # Required. Package names to be removed. Entries that are not found are ignored. There must be at least one entry in package_names.
    &quot;A String&quot;,
  ],
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # Response to a request to remove ApplicationPolicy objects in the given policy.
  &quot;policy&quot;: { # A policy resource represents a group of settings that govern the behavior of a managed device and the apps installed on it. # The updated policy after ApplicationPolicy objects have been removed.
    &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
      &quot;A String&quot;,
    ],
    &quot;addUserDisabled&quot;: True or False, # Whether adding new users and profiles is disabled. For devices where managementMode is DEVICE_OWNER this field is ignored and the user is never allowed to add or remove users.
    &quot;adjustVolumeDisabled&quot;: True or False, # Whether adjusting the master volume is disabled. Also mutes the device. The setting has effect only on fully managed devices.
    &quot;advancedSecurityOverrides&quot;: { # Advanced security settings. In most cases, setting these is not needed. # Advanced security settings. In most cases, setting these is not needed.
      &quot;commonCriteriaMode&quot;: &quot;A String&quot;, # Controls Common Criteria Mode—security standards defined in the Common Criteria for Information Technology Security Evaluation (https://www.commoncriteriaportal.org/) (CC). Enabling Common Criteria Mode increases certain security components on a device, see CommonCriteriaMode for details.Warning: Common Criteria Mode enforces a strict security model typically only required for IT products used in national security systems and other highly sensitive organizations. Standard device use may be affected. Only enabled if required. If Common Criteria Mode is turned off after being enabled previously, all user-configured Wi-Fi networks may be lost and any enterprise-configured Wi-Fi networks that require user input may need to be reconfigured.
      &quot;contentProtectionPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether content protection, which scans for deceptive apps, is enabled. This is supported on Android 15 and above.
      &quot;developerSettings&quot;: &quot;A String&quot;, # Controls access to developer settings: developer options and safe boot. Replaces safeBootDisabled (deprecated) and debuggingFeaturesAllowed (deprecated). On personally-owned devices with a work profile, setting this policy will not disable safe boot. In this case, a NonComplianceDetail with MANAGEMENT_MODE is reported.
      &quot;googlePlayProtectVerifyApps&quot;: &quot;A String&quot;, # Whether Google Play Protect verification (https://support.google.com/accounts/answer/2812853) is enforced. Replaces ensureVerifyAppsEnabled (deprecated).
      &quot;mtePolicy&quot;: &quot;A String&quot;, # Optional. Controls Memory Tagging Extension (MTE) (https://source.android.com/docs/security/test/memory-safety/arm-mte) on the device. The device needs to be rebooted to apply changes to the MTE policy. On Android 15 and above, a NonComplianceDetail with PENDING is reported if the policy change is pending a device reboot.
      &quot;personalAppsThatCanReadWorkNotifications&quot;: [ # Personal apps that can read work profile notifications using a NotificationListenerService (https://developer.android.com/reference/android/service/notification/NotificationListenerService). By default, no personal apps (aside from system apps) can read work notifications. Each value in the list must be a package name.
        &quot;A String&quot;,
      ],
      &quot;untrustedAppsPolicy&quot;: &quot;A String&quot;, # The policy for untrusted apps (apps from unknown sources) enforced on the device. Replaces install_unknown_sources_allowed (deprecated).
    },
    &quot;alwaysOnVpnPackage&quot;: { # Configuration for an always-on VPN connection. # Configuration for an always-on VPN connection. Use with vpn_config_disabled to prevent modification of this setting.
      &quot;lockdownEnabled&quot;: True or False, # Disallows networking when the VPN is not connected.
      &quot;packageName&quot;: &quot;A String&quot;, # The package name of the VPN app.
    },
    &quot;androidDevicePolicyTracks&quot;: [ # This setting is not supported. Any value is ignored.
      &quot;A String&quot;,
    ],
    &quot;appAutoUpdatePolicy&quot;: &quot;A String&quot;, # Recommended alternative: autoUpdateMode which is set per app, provides greater flexibility around update frequency.When autoUpdateMode is set to AUTO_UPDATE_POSTPONED or AUTO_UPDATE_HIGH_PRIORITY, this field has no effect.The app auto update policy, which controls when automatic app updates can be applied.
    &quot;appFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether apps on the device for fully managed devices or in the work profile for devices with work profiles are allowed to expose app functions.
    &quot;applications&quot;: [ # Policy applied to apps. This can have at most 3,000 elements.
      { # Policy for an individual app. Note: Application availability on a given device cannot be changed using this policy if installAppsDisabled is enabled. The maximum number of applications that you can specify per policy is 3,000.
        &quot;accessibleTrackIds&quot;: [ # List of the app’s track IDs that a device belonging to the enterprise can access. If the list contains multiple track IDs, devices receive the latest version among all accessible tracks. If the list contains no track IDs, devices only have access to the app’s production track. More details about each track are available in AppTrackInfo.
          &quot;A String&quot;,
        ],
        &quot;alwaysOnVpnLockdownExemption&quot;: &quot;A String&quot;, # Specifies whether the app is allowed networking when the VPN is not connected and alwaysOnVpnPackage.lockdownEnabled is enabled. If set to VPN_LOCKDOWN_ENFORCED, the app is not allowed networking, and if set to VPN_LOCKDOWN_EXEMPTION, the app is allowed networking. Only supported on devices running Android 10 and above. If this is not supported by the device, the device will contain a NonComplianceDetail with non_compliance_reason set to API_LEVEL and a fieldPath. If this is not applicable to the app, the device will contain a NonComplianceDetail with non_compliance_reason set to UNSUPPORTED and a fieldPath. The fieldPath is set to applications[i].alwaysOnVpnLockdownExemption, where i is the index of the package in the applications policy.
        &quot;autoUpdateMode&quot;: &quot;A String&quot;, # Controls the auto-update mode for the app.
        &quot;connectedWorkAndPersonalApp&quot;: &quot;A String&quot;, # Controls whether the app can communicate with itself across a device’s work and personal profiles, subject to user consent.
        &quot;credentialProviderPolicy&quot;: &quot;A String&quot;, # Optional. Whether the app is allowed to act as a credential provider on Android 14 and above.
        &quot;customAppConfig&quot;: { # Configuration for a custom app. # Optional. Configuration for this custom app.install_type must be set to CUSTOM for this to be set.
          &quot;userUninstallSettings&quot;: &quot;A String&quot;, # Optional. User uninstall settings of the custom app.
        },
        &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default policy for all permissions requested by the app. If specified, this overrides the policy-level default_permission_policy which applies to all apps. It does not override the permission_grants which applies to all apps.
        &quot;delegatedScopes&quot;: [ # The scopes delegated to the app from Android Device Policy. These provide additional privileges for the applications they are applied to.
          &quot;A String&quot;,
        ],
        &quot;disabled&quot;: True or False, # Whether the app is disabled. When disabled, the app data is still preserved.
        &quot;extensionConfig&quot;: { # Configuration to enable an app as an extension app, with the capability of interacting with Android Device Policy offline. For Android versions 11 and above, extension apps are exempt from battery restrictions so will not be placed into the restricted App Standby Bucket (https://developer.android.com/topic/performance/appstandby#restricted-bucket). Extensions apps are also protected against users clearing their data or force-closing the application, although admins can continue to use the clear app data command on extension apps if needed for Android 11 and above. # Configuration to enable this app as an extension app, with the capability of interacting with Android Device Policy offline.This field can be set for at most one app. If there is any app with COMPANION_APP role, this field cannot be set.The signing key certificate fingerprint of the app on the device must match one of the entries in ApplicationPolicy.signingKeyCerts or ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) or the signing key certificate fingerprints obtained from Play Store for the app to be able to communicate with Android Device Policy. If the app is not on Play Store and if ApplicationPolicy.signingKeyCerts and ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) are not set, a NonComplianceDetail with INVALID_VALUE is reported.
          &quot;notificationReceiver&quot;: &quot;A String&quot;, # Fully qualified class name of the receiver service class for Android Device Policy to notify the extension app of any local command status updates. The service must be exported in the extension app&#x27;s AndroidManifest.xml and extend NotificationReceiverService (https://developers.google.com/android/management/reference/amapi/com/google/android/managementapi/notification/NotificationReceiverService) (see Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) guide for more details).
          &quot;signingKeyFingerprintsSha256&quot;: [ # Hex-encoded SHA-256 hashes of the signing key certificates of the extension app. Only hexadecimal string representations of 64 characters are valid.The signing key certificate fingerprints are always obtained from the Play Store and this field is used to provide additional signing key certificate fingerprints. However, if the application is not available on the Play Store, this field needs to be set. A NonComplianceDetail with INVALID_VALUE is reported if this field is not set when the application is not available on the Play Store.The signing key certificate fingerprint of the extension app on the device must match one of the signing key certificate fingerprints obtained from the Play Store or the ones provided in this field for the app to be able to communicate with Android Device Policy.In production use cases, it is recommended to leave this empty.
            &quot;A String&quot;,
          ],
        },
        &quot;installConstraint&quot;: [ # Optional. The constraints for installing the app. You can specify a maximum of one InstallConstraint. Multiple constraints are rejected.
          { # Amongst apps with InstallType set to: FORCE_INSTALLED PREINSTALLEDthis defines a set of restrictions for the app installation. At least one of the fields must be set. When multiple fields are set, then all the constraints need to be satisfied for the app to be installed.
            &quot;chargingConstraint&quot;: &quot;A String&quot;, # Optional. Charging constraint.
            &quot;deviceIdleConstraint&quot;: &quot;A String&quot;, # Optional. Device idle constraint.
            &quot;networkTypeConstraint&quot;: &quot;A String&quot;, # Optional. Network type constraint.
          },
        ],
        &quot;installPriority&quot;: 42, # Optional. Amongst apps with installType set to: FORCE_INSTALLED PREINSTALLEDthis controls the relative priority of installation. A value of 0 (default) means this app has no priority over other apps. For values between 1 and 10,000, a lower value means a higher priority. Values outside of the range 0 to 10,000 inclusive are rejected.
        &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
        &quot;lockTaskAllowed&quot;: True or False, # Whether the app is allowed to lock itself in full-screen mode. DEPRECATED. Use InstallType KIOSK or kioskCustomLauncherEnabled to configure a dedicated device.
        &quot;managedConfiguration&quot;: { # Managed configuration applied to the app. The format for the configuration is dictated by the ManagedProperty values supported by the app. Each field name in the managed configuration must match the key field of the ManagedProperty. The field value must be compatible with the type of the ManagedProperty: *type* *JSON value* BOOL true or false STRING string INTEGER number CHOICE string MULTISELECT array of strings HIDDEN string BUNDLE_ARRAY array of objects
          &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
        },
        &quot;managedConfigurationTemplate&quot;: { # The managed configurations template for the app, saved from the managed configurations iframe. # The managed configurations template for the app, saved from the managed configurations iframe. This field is ignored if managed_configuration is set.
          &quot;configurationVariables&quot;: { # Optional, a map containing configuration variables defined for the configuration.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
          &quot;templateId&quot;: &quot;A String&quot;, # The ID of the managed configurations template.
        },
        &quot;minimumVersionCode&quot;: 42, # The minimum version of the app that runs on the device. If set, the device attempts to update the app to at least this version code. If the app is not up-to-date, the device will contain a NonComplianceDetail with non_compliance_reason set to APP_NOT_UPDATED. The app must already be published to Google Play with a version code greater than or equal to this value. At most 20 apps may specify a minimum version code per policy.
        &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app. For example, com.google.android.youtube for the YouTube app.
        &quot;permissionGrants&quot;: [ # Explicit permission grants or denials for the app. These values override the default_permission_policy and permission_grants which apply to all apps.
          { # Configuration for an Android permission and its grant state.
            &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
            &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
          },
        ],
        &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Optional. ID of the preferential network the application uses. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the application will use the default network ID specified in defaultPreferentialNetworkId. See the documentation of defaultPreferentialNetworkId for the list of apps excluded from this defaulting. This applies on both work profiles and fully managed devices on Android 13 and above.
        &quot;roles&quot;: [ # Optional. Roles the app has.Apps having certain roles can be exempted from power and background execution restrictions, suspension and hibernation on Android 14 and above. The user control can also be disallowed for apps with certain roles on Android 11 and above. Refer to the documentation of each RoleType for more details.The app is notified about the roles that are set for it if the app has a notification receiver service with . The app is notified whenever its roles are updated or after the app is installed when it has nonempty list of roles. The app can use this notification to bootstrap itself after the installation. See Integrate with the AMAPI SDK (https://developers.google.com/android/management/sdk-integration) and Manage app roles (https://developers.google.com/android/management/app-roles) guides for more details on the requirements for the service.For the exemptions to be applied and the app to be notified about the roles, the signing key certificate fingerprint of the app on the device must match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts. Otherwise, a NonComplianceDetail with APP_SIGNING_CERT_MISMATCH is reported.There must not be duplicate roles with the same roleType. Multiple apps cannot hold a role with the same roleType. A role with type ROLE_TYPE_UNSPECIFIED is not allowed.
          { # Role an app can have.
            &quot;roleType&quot;: &quot;A String&quot;, # Required. The type of the role an app can have.
          },
        ],
        &quot;signingKeyCerts&quot;: [ # Optional. Signing key certificates of the app.This field is required in the following cases: The app has installType set to CUSTOM (i.e. a custom app). The app has roles set to a nonempty list and the app does not exist on the Play Store. The app has extensionConfig set (i.e. an extension app) but ExtensionConfig.signingKeyFingerprintsSha256 (deprecated) is not set and the app does not exist on the Play Store.If this field is not set for a custom app, the policy is rejected. If it is not set when required for a non-custom app, a NonComplianceDetail with INVALID_VALUE is reported.For other cases, this field is optional and the signing key certificates obtained from Play Store are used.See following policy settings to see how this field is used: choosePrivateKeyRules ApplicationPolicy.InstallType.CUSTOM ApplicationPolicy.extensionConfig ApplicationPolicy.roles
          { # The application signing key certificate.
            &quot;signingKeyCertFingerprintSha256&quot;: &quot;A String&quot;, # Required. The SHA-256 hash value of the signing key certificate of the app. This must be a valid SHA-256 hash value, i.e. 32 bytes. Otherwise, the policy is rejected.
          },
        ],
        &quot;userControlSettings&quot;: &quot;A String&quot;, # Optional. Specifies whether user control is permitted for the app. User control includes user actions like force-stopping and clearing app data. Certain types of apps have special treatment, see USER_CONTROL_SETTINGS_UNSPECIFIED and USER_CONTROL_ALLOWED for more details.
        &quot;workProfileWidgets&quot;: &quot;A String&quot;, # Specifies whether the app installed in the work profile is allowed to add widgets to the home screen.
      },
    ],
    &quot;assistContentPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether AssistContent (https://developer.android.com/reference/android/app/assist/AssistContent) is allowed to be sent to a privileged app such as an assistant app. AssistContent includes screenshots and information about an app, such as package name. This is supported on Android 15 and above.
    &quot;autoDateAndTimeZone&quot;: &quot;A String&quot;, # Whether auto date, time, and time zone are enabled on a company-owned device. If this is set, then autoTimeRequired is ignored.
    &quot;autoTimeRequired&quot;: True or False, # Whether auto time is required, which prevents the user from manually setting the date and time. If autoDateAndTimeZone is set, this field is ignored.
    &quot;blockApplicationsEnabled&quot;: True or False, # Whether applications other than the ones configured in applications are blocked from being installed. When set, applications that were installed under a previous policy but no longer appear in the policy are automatically uninstalled.
    &quot;bluetoothConfigDisabled&quot;: True or False, # Whether configuring bluetooth is disabled.
    &quot;bluetoothContactSharingDisabled&quot;: True or False, # Whether bluetooth contact sharing is disabled.
    &quot;bluetoothDisabled&quot;: True or False, # Whether bluetooth is disabled. Prefer this setting over bluetooth_config_disabled because bluetooth_config_disabled can be bypassed by the user.
    &quot;cameraAccess&quot;: &quot;A String&quot;, # Controls the use of the camera and whether the user has access to the camera access toggle.
    &quot;cameraDisabled&quot;: True or False, # If camera_access is set to any value other than CAMERA_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether cameras are disabled: If true, all cameras are disabled, otherwise they are available. For fully managed devices this field applies for all apps on the device. For work profiles, this field applies only to apps in the work profile, and the camera access of apps outside the work profile is unaffected.
    &quot;cellBroadcastsConfigDisabled&quot;: True or False, # Whether configuring cell broadcast is disabled.
    &quot;choosePrivateKeyRules&quot;: [ # Rules for determining apps&#x27; access to private keys. See ChoosePrivateKeyRule for details. This must be empty if any application has CERT_SELECTION delegation scope.
      { # Controls apps&#x27; access to private keys. The rule determines which private key, if any, Android Device Policy grants to the specified app. Access is granted either when the app calls KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) (or any overloads) to request a private key alias for a given URL, or for rules that are not URL-specific (that is, if urlPattern is not set, or set to the empty string or .*) on Android 11 and above, directly so that the app can call KeyChain.getPrivateKey (https://developer.android.com/reference/android/security/KeyChain#getPrivateKey%28android.content.Context,%20java.lang.String%29), without first having to call KeyChain.choosePrivateKeyAlias.When an app calls KeyChain.choosePrivateKeyAlias if more than one choosePrivateKeyRules matches, the last matching rule defines which key alias to return.
        &quot;packageNames&quot;: [ # The package names to which this rule applies. The signing key certificate fingerprint of the app is verified against the signing key certificate fingerprints provided by Play Store and ApplicationPolicy.signingKeyCerts . If no package names are specified, then the alias is provided to all apps that call KeyChain.choosePrivateKeyAlias (https://developer.android.com/reference/android/security/KeyChain#choosePrivateKeyAlias%28android.app.Activity,%20android.security.KeyChainAliasCallback,%20java.lang.String[],%20java.security.Principal[],%20java.lang.String,%20int,%20java.lang.String%29) or any overloads (but not without calling KeyChain.choosePrivateKeyAlias, even on Android 11 and above). Any app with the same Android UID as a package specified here will have access when they call KeyChain.choosePrivateKeyAlias.
          &quot;A String&quot;,
        ],
        &quot;privateKeyAlias&quot;: &quot;A String&quot;, # The alias of the private key to be used.
        &quot;urlPattern&quot;: &quot;A String&quot;, # The URL pattern to match against the URL of the request. If not set or empty, it matches all URLs. This uses the regular expression syntax of java.util.regex.Pattern.
      },
    ],
    &quot;complianceRules&quot;: [ # Rules declaring which mitigating actions to take when a device is not compliant with its policy. When the conditions for multiple rules are satisfied, all of the mitigating actions for the rules are taken. There is a maximum limit of 100 rules. Use policy enforcement rules instead.
      { # A rule declaring which mitigating actions to take when a device is not compliant with its policy. For every rule, there is always an implicit mitigating action to set policy_compliant to false for the Device resource, and display a message on the device indicating that the device is not compliant with its policy. Other mitigating actions may optionally be taken as well, depending on the field values in the rule.
        &quot;apiLevelCondition&quot;: { # A compliance rule condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement. There can only be one rule with this type of condition per policy. # A condition which is satisfied if the Android Framework API level on the device doesn&#x27;t meet a minimum requirement.
          &quot;minApiLevel&quot;: 42, # The minimum desired Android Framework API level. If the device doesn&#x27;t meet the minimum requirement, this condition is satisfied. Must be greater than zero.
        },
        &quot;disableApps&quot;: True or False, # If set to true, the rule includes a mitigating action to disable apps so that the device is effectively disabled, but app data is preserved. If the device is running an app in locked task mode, the app will be closed and a UI showing the reason for non-compliance will be displayed.
        &quot;nonComplianceDetailCondition&quot;: { # A compliance rule condition which is satisfied if there exists any matching NonComplianceDetail for the device. A NonComplianceDetail matches a NonComplianceDetailCondition if all the fields which are set within the NonComplianceDetailCondition match the corresponding NonComplianceDetail fields. # A condition which is satisfied if there exists any matching NonComplianceDetail for the device.
          &quot;nonComplianceReason&quot;: &quot;A String&quot;, # The reason the device is not in compliance with the setting. If not set, then this condition matches any reason.
          &quot;packageName&quot;: &quot;A String&quot;, # The package name of the app that&#x27;s out of compliance. If not set, then this condition matches any package name.
          &quot;settingName&quot;: &quot;A String&quot;, # The name of the policy setting. This is the JSON field name of a top-level Policy field. If not set, then this condition matches any setting name.
        },
        &quot;packageNamesToDisable&quot;: [ # If set, the rule includes a mitigating action to disable apps specified in the list, but app data is preserved.
          &quot;A String&quot;,
        ],
      },
    ],
    &quot;createWindowsDisabled&quot;: True or False, # Whether creating windows besides app windows is disabled.
    &quot;credentialProviderPolicyDefault&quot;: &quot;A String&quot;, # Controls which apps are allowed to act as credential providers on Android 14 and above. These apps store credentials, see this (https://developer.android.com/training/sign-in/passkeys) and this (https://developer.android.com/reference/androidx/credentials/CredentialManager) for details. See also credentialProviderPolicy.
    &quot;credentialsConfigDisabled&quot;: True or False, # Whether configuring user credentials is disabled.
    &quot;crossProfilePolicies&quot;: { # Controls the data from the work profile that can be accessed from the personal profile and vice versa. A NonComplianceDetail with MANAGEMENT_MODE is reported if the device does not have a work profile. # Cross-profile policies applied on the device.
      &quot;crossProfileAppFunctions&quot;: &quot;A String&quot;, # Optional. Controls whether personal profile apps can invoke app functions exposed by apps in the work profile.
      &quot;crossProfileCopyPaste&quot;: &quot;A String&quot;, # Whether text copied from one profile (personal or work) can be pasted in the other profile.
      &quot;crossProfileDataSharing&quot;: &quot;A String&quot;, # Whether data from one profile (personal or work) can be shared with apps in the other profile. Specifically controls simple data sharing via intents. Management of other cross-profile communication channels, such as contact search, copy/paste, or connected work &amp; personal apps, are configured separately.
      &quot;exemptionsToShowWorkContactsInPersonalProfile&quot;: { # A list of package names. # List of apps which are excluded from the ShowWorkContactsInPersonalProfile setting. For this to be set, ShowWorkContactsInPersonalProfile must be set to one of the following values: SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_ALLOWED. In this case, these exemptions act as a blocklist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED. In this case, these exemptions act as an allowlist. SHOW_WORK_CONTACTS_IN_PERSONAL_PROFILE_DISALLOWED_EXCEPT_SYSTEM. In this case, these exemptions act as an allowlist, in addition to the already allowlisted system apps.Supported on Android 14 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 14.
        &quot;packageNames&quot;: [ # A list of package names.
          &quot;A String&quot;,
        ],
      },
      &quot;showWorkContactsInPersonalProfile&quot;: &quot;A String&quot;, # Whether personal apps can access contacts stored in the work profile.See also exemptions_to_show_work_contacts_in_personal_profile.
      &quot;workProfileWidgetsDefault&quot;: &quot;A String&quot;, # Specifies the default behaviour for work profile widgets. If the policy does not specify work_profile_widgets for a specific application, it will behave according to the value specified here.
    },
    &quot;dataRoamingDisabled&quot;: True or False, # Whether roaming data services are disabled.
    &quot;debuggingFeaturesAllowed&quot;: True or False, # Whether the user is allowed to enable debugging features.
    &quot;defaultApplicationSettings&quot;: [ # Optional. The default application setting for supported types. If the default application is successfully set for at least one app type on a profile, users are prevented from changing any default applications on that profile.Only one DefaultApplicationSetting is allowed for each DefaultApplicationType.See Default application settings (https://developers.google.com/android/management/default-application-settings) guide for more details.
      { # The default application setting for a DefaultApplicationType.
        &quot;defaultApplicationScopes&quot;: [ # Required. The scopes to which the policy should be applied. This list must not be empty or contain duplicates.A NonComplianceDetail with MANAGEMENT_MODE reason and DEFAULT_APPLICATION_SETTING_UNSUPPORTED_SCOPES specific reason is reported if none of the specified scopes can be applied to the management mode (e.g. a fully managed device receives a policy with only SCOPE_PERSONAL_PROFILE in the list).
          &quot;A String&quot;,
        ],
        &quot;defaultApplicationType&quot;: &quot;A String&quot;, # Required. The app type to set the default application.
        &quot;defaultApplications&quot;: [ # Required. The list of applications that can be set as the default app for a given type. This list must not be empty or contain duplicates. The first app in the list that is installed and qualified for the defaultApplicationType (e.g. SMS app for DEFAULT_SMS) is set as the default app. The signing key certificate fingerprint of the app on the device must also match one of the signing key certificate fingerprints obtained from Play Store or one of the entries in ApplicationPolicy.signingKeyCerts in order to be set as the default.If the defaultApplicationScopes contains SCOPE_FULLY_MANAGED or SCOPE_WORK_PROFILE, the app must have an entry in applications with installType set to a value other than BLOCKED.A NonComplianceDetail with APP_NOT_INSTALLED reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if none of the apps in the list are installed. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if at least one app is installed but the policy fails to apply due to other reasons (e.g. the app is not of the right type).When applying to SCOPE_PERSONAL_PROFILE on a company-owned device with a work profile, only pre-installed system apps can be set as the default. A NonComplianceDetail with INVALID_VALUE reason and DEFAULT_APPLICATION_SETTING_FAILED_FOR_SCOPE specific reason is reported if the policy fails to apply to the personal profile.
          { # Information about the application to be set as the default.
            &quot;packageName&quot;: &quot;A String&quot;, # Required. The package name that should be set as the default application. The policy is rejected if the package name is invalid.
          },
        ],
      },
    ],
    &quot;defaultPermissionPolicy&quot;: &quot;A String&quot;, # The default permission policy for runtime permission requests.
    &quot;deviceConnectivityManagement&quot;: { # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more. # Covers controls for device connectivity such as Wi-Fi, USB data access, keyboard/mouse connections, and more.
      &quot;apnPolicy&quot;: { # Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details. # Optional. Access Point Name (APN) policy. Configuration for Access Point Names (APNs) which may override any other APNs on the device. See OVERRIDE_APNS_ENABLED and overrideApns for details.
        &quot;apnSettings&quot;: [ # Optional. APN settings for override APNs. There must not be any conflict between any of APN settings provided, otherwise the policy will be rejected. Two ApnSettings are considered to conflict when all of the following fields match on both: numericOperatorId, apn, proxyAddress, proxyPort, mmsProxyAddress, mmsProxyPort, mmsc, mvnoType, protocol, roamingProtocol. If some of the APN settings result in non-compliance of INVALID_VALUE , they will be ignored. This can be set on fully managed devices on Android 10 and above. This can also be set on work profiles on Android 13 and above and only with ApnSetting&#x27;s with ENTERPRISE APN type. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 10. A NonComplianceDetail with MANAGEMENT_MODE is reported for work profiles on Android versions less than 13.
          { # An Access Point Name (APN) configuration for a carrier data connection. The APN provides configuration to connect a cellular network device to an IP data network. A carrier uses this setting to decide which IP address to assign, any security methods to apply, and how the device might be connected to private networks.
            &quot;alwaysOnSetting&quot;: &quot;A String&quot;, # Optional. Whether User Plane resources have to be activated during every transition from CM-IDLE mode to CM-CONNECTED state for this APN. See 3GPP TS 23.501 section 5.6.13.
            &quot;apn&quot;: &quot;A String&quot;, # Required. Name of the APN. Policy will be rejected if this field is empty.
            &quot;apnTypes&quot;: [ # Required. Usage categories for the APN. Policy will be rejected if this field is empty or contains APN_TYPE_UNSPECIFIED or duplicates. Multiple APN types can be set on fully managed devices. ENTERPRISE is the only allowed APN type on work profiles. A NonComplianceDetail with MANAGEMENT_MODE is reported for any other value on work profiles. APN types that are not supported on the device or management mode will be ignored. If this results in the empty list, the APN setting will be ignored, because apnTypes is a required field. A NonComplianceDetail with INVALID_VALUE is reported if none of the APN types are supported on the device or management mode.
              &quot;A String&quot;,
            ],
            &quot;authType&quot;: &quot;A String&quot;, # Optional. Authentication type of the APN.
            &quot;carrierId&quot;: 42, # Optional. Carrier ID for the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;displayName&quot;: &quot;A String&quot;, # Required. Human-readable name that describes the APN. Policy will be rejected if this field is empty.
            &quot;mmsProxyAddress&quot;: &quot;A String&quot;, # Optional. MMS (Multimedia Messaging Service) proxy address of the APN which can be an IP address or hostname (not a URL).
            &quot;mmsProxyPort&quot;: 42, # Optional. MMS (Multimedia Messaging Service) proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;mmsc&quot;: &quot;A String&quot;, # Optional. MMSC (Multimedia Messaging Service Center) URI of the APN.
            &quot;mtuV4&quot;: 42, # Optional. The default MTU (Maximum Transmission Unit) size in bytes of the IPv4 routes brought up by this APN setting. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
            &quot;mtuV6&quot;: 42, # Optional. The MTU (Maximum Transmission Unit) size of the IPv6 mobile interface to which the APN connected. A value of 0 (default) means not set and negative values are rejected. Supported on Android 13 and above. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 13.
            &quot;mvnoType&quot;: &quot;A String&quot;, # Optional. MVNO match type for the APN.
            &quot;networkTypes&quot;: [ # Optional. Radio technologies (network types) the APN may use. Policy will be rejected if this field contains NETWORK_TYPE_UNSPECIFIED or duplicates.
              &quot;A String&quot;,
            ],
            &quot;numericOperatorId&quot;: &quot;A String&quot;, # Optional. The numeric operator ID of the APN. Numeric operator ID is defined as MCC (Mobile Country Code) + MNC (Mobile Network Code).
            &quot;password&quot;: &quot;A String&quot;, # Optional. APN password of the APN.
            &quot;protocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN.
            &quot;proxyAddress&quot;: &quot;A String&quot;, # Optional. The proxy address of the APN.
            &quot;proxyPort&quot;: 42, # Optional. The proxy port of the APN. A value of 0 (default) means not set and negative values are rejected.
            &quot;roamingProtocol&quot;: &quot;A String&quot;, # Optional. The protocol to use to connect to this APN while the device is roaming.
            &quot;username&quot;: &quot;A String&quot;, # Optional. APN username of the APN.
          },
        ],
        &quot;overrideApns&quot;: &quot;A String&quot;, # Optional. Whether override APNs are disabled or enabled. See DevicePolicyManager.setOverrideApnsEnabled (https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setOverrideApnsEnabled) for more details.
      },
      &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Controls whether Bluetooth sharing is allowed.
      &quot;configureWifi&quot;: &quot;A String&quot;, # Controls Wi-Fi configuring privileges. Based on the option set, user will have either full or limited or no control in configuring Wi-Fi networks.
      &quot;preferentialNetworkServiceSettings&quot;: { # Preferential network service settings. # Optional. Preferential network service configuration. Setting this field will override preferentialNetworkService. This can be set on both work profiles and fully managed devices on Android 13 and above. See 5G network slicing (https://developers.google.com/android/management/5g-network-slicing) guide for more details.
        &quot;defaultPreferentialNetworkId&quot;: &quot;A String&quot;, # Required. Default preferential network ID for the applications that are not in applications or if ApplicationPolicy.preferentialNetworkId is set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED. There must be a configuration for the specified network ID in preferentialNetworkServiceConfigs, unless this is set to NO_PREFERENTIAL_NETWORK. If set to PREFERENTIAL_NETWORK_ID_UNSPECIFIED or unset, this defaults to NO_PREFERENTIAL_NETWORK. Note: If the default preferential network is misconfigured, applications with no ApplicationPolicy.preferentialNetworkId set are not able to access the internet. This setting does not apply to the following critical apps: com.google.android.apps.work.clouddpc com.google.android.gmsApplicationPolicy.preferentialNetworkId can still be used to configure the preferential network for them.
        &quot;preferentialNetworkServiceConfigs&quot;: [ # Required. Preferential network service configurations which enables having multiple enterprise slices. There must not be multiple configurations with the same preferentialNetworkId. If a configuration is not referenced by any application by setting ApplicationPolicy.preferentialNetworkId or by setting defaultPreferentialNetworkId, it will be ignored. For devices on 4G networks, enterprise APN needs to be configured additionally to set up data call for preferential network service. These APNs can be added using apnPolicy.
          { # Individual preferential network service configuration.
            &quot;fallbackToDefaultConnection&quot;: &quot;A String&quot;, # Optional. Whether fallback to the device-wide default network is allowed. If this is set to FALLBACK_TO_DEFAULT_CONNECTION_ALLOWED, then nonMatchingNetworks must not be set to NON_MATCHING_NETWORKS_DISALLOWED, the policy will be rejected otherwise. Note: If this is set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED, applications are not able to access the internet if the 5G slice is not available.
            &quot;nonMatchingNetworks&quot;: &quot;A String&quot;, # Optional. Whether apps this configuration applies to are blocked from using networks other than the preferential service. If this is set to NON_MATCHING_NETWORKS_DISALLOWED, then fallbackToDefaultConnection must be set to FALLBACK_TO_DEFAULT_CONNECTION_DISALLOWED.
            &quot;preferentialNetworkId&quot;: &quot;A String&quot;, # Required. Preferential network identifier. This must not be set to NO_PREFERENTIAL_NETWORK or PREFERENTIAL_NETWORK_ID_UNSPECIFIED, the policy will be rejected otherwise.
          },
        ],
      },
      &quot;tetheringSettings&quot;: &quot;A String&quot;, # Controls tethering settings. Based on the value set, the user is partially or fully disallowed from using different forms of tethering.
      &quot;usbDataAccess&quot;: &quot;A String&quot;, # Controls what files and/or data can be transferred via USB. Supported only on company-owned devices.
      &quot;wifiDirectSettings&quot;: &quot;A String&quot;, # Controls configuring and using Wi-Fi direct settings. Supported on company-owned devices running Android 13 and above.
      &quot;wifiRoamingPolicy&quot;: { # Wi-Fi roaming policy. # Optional. Wi-Fi roaming policy.
        &quot;wifiRoamingSettings&quot;: [ # Optional. Wi-Fi roaming settings. SSIDs provided in this list must be unique, the policy will be rejected otherwise.
          { # Wi-Fi roaming setting.
            &quot;wifiRoamingMode&quot;: &quot;A String&quot;, # Required. Wi-Fi roaming mode for the specified SSID.
            &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. SSID of the Wi-Fi network.
          },
        ],
      },
      &quot;wifiSsidPolicy&quot;: { # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above. # Restrictions on which Wi-Fi SSIDs the device can connect to. Note that this does not affect which networks can be configured on the device. Supported on company-owned devices running Android 13 and above.
        &quot;wifiSsidPolicyType&quot;: &quot;A String&quot;, # Type of the Wi-Fi SSID policy to be applied.
        &quot;wifiSsids&quot;: [ # Optional. List of Wi-Fi SSIDs that should be applied in the policy. This field must be non-empty when WifiSsidPolicyType is set to WIFI_SSID_ALLOWLIST. If this is set to a non-empty list, then a NonComplianceDetail detail with API_LEVEL is reported if the Android version is less than 13 and a NonComplianceDetail with MANAGEMENT_MODE is reported for non-company-owned devices.
          { # Represents a Wi-Fi SSID.
            &quot;wifiSsid&quot;: &quot;A String&quot;, # Required. Wi-Fi SSID represented as a string.
          },
        ],
      },
    },
    &quot;deviceOwnerLockScreenInfo&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # The device owner information to be shown on the lock screen.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;deviceRadioState&quot;: { # Controls for device radio settings. # Covers controls for radio state such as Wi-Fi, bluetooth, and more.
      &quot;airplaneModeState&quot;: &quot;A String&quot;, # Controls whether airplane mode can be toggled by the user or not.
      &quot;cellularTwoGState&quot;: &quot;A String&quot;, # Controls whether cellular 2G setting can be toggled by the user or not.
      &quot;minimumWifiSecurityLevel&quot;: &quot;A String&quot;, # The minimum required security level of Wi-Fi networks that the device can connect to.
      &quot;ultraWidebandState&quot;: &quot;A String&quot;, # Controls the state of the ultra wideband setting and whether the user can toggle it on or off.
      &quot;wifiState&quot;: &quot;A String&quot;, # Controls current state of Wi-Fi and if user can change its state.
    },
    &quot;displaySettings&quot;: { # Controls for the display settings. # Optional. Controls for the display settings.
      &quot;screenBrightnessSettings&quot;: { # Controls for the screen brightness settings. # Optional. Controls the screen brightness settings.
        &quot;screenBrightness&quot;: 42, # Optional. The screen brightness between 1 and 255 where 1 is the lowest and 255 is the highest brightness. A value of 0 (default) means no screen brightness set. Any other value is rejected. screenBrightnessMode must be either BRIGHTNESS_AUTOMATIC or BRIGHTNESS_FIXED to set this. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
        &quot;screenBrightnessMode&quot;: &quot;A String&quot;, # Optional. Controls the screen brightness mode.
      },
      &quot;screenTimeoutSettings&quot;: { # Controls the screen timeout settings. # Optional. Controls the screen timeout settings.
        &quot;screenTimeout&quot;: &quot;A String&quot;, # Optional. Controls the screen timeout duration. The screen timeout duration must be greater than 0, otherwise it is rejected. Additionally, it should not be greater than maximumTimeToLock, otherwise the screen timeout is set to maximumTimeToLock and a NonComplianceDetail with INVALID_VALUE reason and SCREEN_TIMEOUT_GREATER_THAN_MAXIMUM_TIME_TO_LOCK specific reason is reported. If the screen timeout is less than a certain lower bound, it is set to the lower bound. The lower bound may vary across devices. If this is set, screenTimeoutMode must be SCREEN_TIMEOUT_ENFORCED. Supported on Android 9 and above on fully managed devices. A NonComplianceDetail with API_LEVEL is reported if the Android version is less than 9. Supported on work profiles on company-owned devices on Android 15 and above.
        &quot;screenTimeoutMode&quot;: &quot;A String&quot;, # Optional. Controls whether the user is allowed to configure the screen timeout.
      },
    },
    &quot;encryptionPolicy&quot;: &quot;A String&quot;, # Whether encryption is enabled
    &quot;ensureVerifyAppsEnabled&quot;: True or False, # Whether app verification is force-enabled.
    &quot;enterpriseDisplayNameVisibility&quot;: &quot;A String&quot;, # Optional. Controls whether the enterpriseDisplayName is visible on the device (e.g. lock screen message on company-owned devices).
    &quot;factoryResetDisabled&quot;: True or False, # Whether factory resetting from settings is disabled.
    &quot;frpAdminEmails&quot;: [ # Email addresses of device administrators for factory reset protection. When the device is factory reset, it will require one of these admins to log in with the Google account email and password to unlock the device. If no admins are specified, the device won&#x27;t provide factory reset protection.
      &quot;A String&quot;,
    ],
    &quot;funDisabled&quot;: True or False, # Whether the user is allowed to have fun. Controls whether the Easter egg game in Settings is disabled.
    &quot;installAppsDisabled&quot;: True or False, # Whether user installation of apps is disabled.
    &quot;installUnknownSourcesAllowed&quot;: True or False, # This field has no effect.
    &quot;keyguardDisabled&quot;: True or False, # If true, this disables the Lock Screen (https://source.android.com/docs/core/display/multi_display/lock-screen) for primary and/or secondary displays. This policy is supported only in dedicated device management mode.
    &quot;keyguardDisabledFeatures&quot;: [ # Disabled keyguard customizations, such as widgets.
      &quot;A String&quot;,
    ],
    &quot;kioskCustomLauncherEnabled&quot;: True or False, # Whether the kiosk custom launcher is enabled. This replaces the home screen with a launcher that locks down the device to the apps installed via the applications setting. Apps appear on a single page in alphabetical order. Use kioskCustomization to further configure the kiosk device behavior.
    &quot;kioskCustomization&quot;: { # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK. # Settings controlling the behavior of a device in kiosk mode. To enable kiosk mode, set kioskCustomLauncherEnabled to true or specify an app in the policy with installType KIOSK.
      &quot;deviceSettings&quot;: &quot;A String&quot;, # Specifies whether the Settings app is allowed in kiosk mode.
      &quot;powerButtonActions&quot;: &quot;A String&quot;, # Sets the behavior of a device in kiosk mode when a user presses and holds (long-presses) the Power button.
      &quot;statusBar&quot;: &quot;A String&quot;, # Specifies whether system info and notifications are disabled in kiosk mode.
      &quot;systemErrorWarnings&quot;: &quot;A String&quot;, # Specifies whether system error dialogs for crashed or unresponsive apps are blocked in kiosk mode. When blocked, the system will force-stop the app as if the user chooses the &quot;close app&quot; option on the UI.
      &quot;systemNavigation&quot;: &quot;A String&quot;, # Specifies which navigation features are enabled (e.g. Home, Overview buttons) in kiosk mode.
    },
    &quot;locationMode&quot;: &quot;A String&quot;, # The degree of location detection enabled.
    &quot;longSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the device administators settings screen.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;maximumTimeToLock&quot;: &quot;A String&quot;, # Maximum time in milliseconds for user activity until the device locks. A value of 0 means there is no restriction.
    &quot;microphoneAccess&quot;: &quot;A String&quot;, # Controls the use of the microphone and whether the user has access to the microphone access toggle. This applies only on fully managed devices.
    &quot;minimumApiLevel&quot;: 42, # The minimum allowed Android API level.
    &quot;mobileNetworksConfigDisabled&quot;: True or False, # Whether configuring mobile networks is disabled.
    &quot;modifyAccountsDisabled&quot;: True or False, # Whether adding or removing accounts is disabled.
    &quot;mountPhysicalMediaDisabled&quot;: True or False, # Whether the user mounting physical external media is disabled.
    &quot;name&quot;: &quot;A String&quot;, # The name of the policy in the form enterprises/{enterpriseId}/policies/{policyId}.
    &quot;networkEscapeHatchEnabled&quot;: True or False, # Whether the network escape hatch is enabled. If a network connection can&#x27;t be made at boot time, the escape hatch prompts the user to temporarily connect to a network in order to refresh the device policy. After applying policy, the temporary network will be forgotten and the device will continue booting. This prevents being unable to connect to a network if there is no suitable network in the last policy and the device boots into an app in lock task mode, or the user is otherwise unable to reach device settings.Note: Setting wifiConfigDisabled to true will override this setting under specific circumstances. Please see wifiConfigDisabled for further details. Setting configureWifi to DISALLOW_CONFIGURING_WIFI will override this setting under specific circumstances. Please see DISALLOW_CONFIGURING_WIFI for further details.
    &quot;networkResetDisabled&quot;: True or False, # Whether resetting network settings is disabled.
    &quot;oncCertificateProviders&quot;: [ # This feature is not generally available.
      { # This feature is not generally available.
        &quot;certificateReferences&quot;: [ # This feature is not generally available.
          &quot;A String&quot;,
        ],
        &quot;contentProviderEndpoint&quot;: { # This feature is not generally available. # This feature is not generally available.
          &quot;packageName&quot;: &quot;A String&quot;, # This feature is not generally available.
          &quot;signingCertsSha256&quot;: [ # Required. This feature is not generally available.
            &quot;A String&quot;,
          ],
          &quot;uri&quot;: &quot;A String&quot;, # This feature is not generally available.
        },
      },
    ],
    &quot;openNetworkConfiguration&quot;: { # Network configuration for the device. See configure networks for more information.
      &quot;a_key&quot;: &quot;&quot;, # Properties of the object.
    },
    &quot;outgoingBeamDisabled&quot;: True or False, # Whether using NFC to beam data from apps is disabled.
    &quot;outgoingCallsDisabled&quot;: True or False, # Whether outgoing calls are disabled.
    &quot;passwordPolicies&quot;: [ # Password requirement policies. Different policies can be set for work profile or fully managed devices by setting the password_scope field in the policy.
      { # Requirements for the password used to unlock a device.
        &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
        &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
        &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
        &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
        &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
        &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
        &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
        &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
        &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
      },
    ],
    &quot;passwordRequirements&quot;: { # Requirements for the password used to unlock a device. # Password requirements. The field password_requirements.require_password_unlock must not be set. DEPRECATED - Use passwordPolicies.Note:Complexity-based values of PasswordQuality, that is, COMPLEXITY_LOW, COMPLEXITY_MEDIUM, and COMPLEXITY_HIGH, cannot be used here. unified_lock_settings cannot be used here.
      &quot;maximumFailedPasswordsForWipe&quot;: 42, # Number of incorrect device-unlock passwords that can be entered before a device is wiped. A value of 0 means there is no restriction.
      &quot;passwordExpirationTimeout&quot;: &quot;A String&quot;, # Password expiration timeout.
      &quot;passwordHistoryLength&quot;: 42, # The length of the password history. After setting this field, the user won&#x27;t be able to enter a new password that is the same as any password in the history. A value of 0 means there is no restriction.
      &quot;passwordMinimumLength&quot;: 42, # The minimum allowed password length. A value of 0 means there is no restriction. Only enforced when password_quality is NUMERIC, NUMERIC_COMPLEX, ALPHABETIC, ALPHANUMERIC, or COMPLEX.
      &quot;passwordMinimumLetters&quot;: 42, # Minimum number of letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumLowerCase&quot;: 42, # Minimum number of lower case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNonLetter&quot;: 42, # Minimum number of non-letter characters (numerical digits or symbols) required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumNumeric&quot;: 42, # Minimum number of numerical digits required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumSymbols&quot;: 42, # Minimum number of symbols required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordMinimumUpperCase&quot;: 42, # Minimum number of upper case letters required in the password. Only enforced when password_quality is COMPLEX.
      &quot;passwordQuality&quot;: &quot;A String&quot;, # The required password quality.
      &quot;passwordScope&quot;: &quot;A String&quot;, # The scope that the password requirement applies to.
      &quot;requirePasswordUnlock&quot;: &quot;A String&quot;, # The length of time after a device or work profile is unlocked using a strong form of authentication (password, PIN, pattern) that it can be unlocked using any other authentication method (e.g. fingerprint, trust agents, face). After the specified time period elapses, only strong forms of authentication can be used to unlock the device or work profile.
      &quot;unifiedLockSettings&quot;: &quot;A String&quot;, # Controls whether a unified lock is allowed for the device and the work profile, on devices running Android 9 and above with a work profile. This can be set only if password_scope is set to SCOPE_PROFILE, the policy will be rejected otherwise. If user has not set a separate work lock and this field is set to REQUIRE_SEPARATE_WORK_LOCK, a NonComplianceDetail is reported with nonComplianceReason set to USER_ACTION.
    },
    &quot;permissionGrants&quot;: [ # Explicit permission or group grants or denials for all apps. These values override the default_permission_policy.
      { # Configuration for an Android permission and its grant state.
        &quot;permission&quot;: &quot;A String&quot;, # The Android permission or group, e.g. android.permission.READ_CALENDAR or android.permission_group.CALENDAR.
        &quot;policy&quot;: &quot;A String&quot;, # The policy for granting the permission.
      },
    ],
    &quot;permittedAccessibilityServices&quot;: { # A list of package names. # Specifies permitted accessibility services. If the field is not set, any accessibility service can be used. If the field is set, only the accessibility services in this list and the system&#x27;s built-in accessibility service can be used. In particular, if the field is set to empty, only the system&#x27;s built-in accessibility servicess can be used. This can be set on fully managed devices and on work profiles. When applied to a work profile, this affects both the personal profile and the work profile.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;permittedInputMethods&quot;: { # A list of package names. # If present, only the input methods provided by packages in this list are permitted. If this field is present, but the list is empty, then only system input methods are permitted.
      &quot;packageNames&quot;: [ # A list of package names.
        &quot;A String&quot;,
      ],
    },
    &quot;persistentPreferredActivities&quot;: [ # Default intent handler activities.
      { # A default activity for handling intents that match a particular intent filter. Note: To set up a kiosk, use InstallType to KIOSK rather than use persistent preferred activities.
        &quot;actions&quot;: [ # The intent actions to match in the filter. If any actions are included in the filter, then an intent&#x27;s action must be one of those values for it to match. If no actions are included, the intent action is ignored.
          &quot;A String&quot;,
        ],
        &quot;categories&quot;: [ # The intent categories to match in the filter. An intent includes the categories that it requires, all of which must be included in the filter in order to match. In other words, adding a category to the filter has no impact on matching unless that category is specified in the intent.
          &quot;A String&quot;,
        ],
        &quot;receiverActivity&quot;: &quot;A String&quot;, # The activity that should be the default intent handler. This should be an Android component name, e.g. com.android.enterprise.app/.MainActivity. Alternatively, the value may be the package name of an app, which causes Android Device Policy to choose an appropriate activity from the app to handle the intent.
      },
    ],
    &quot;personalUsagePolicies&quot;: { # Policies controlling personal usage on a company-owned device with a work profile. # Policies managing personal usage on a company-owned device.
      &quot;accountTypesWithManagementDisabled&quot;: [ # Account types that can&#x27;t be managed by the user.
        &quot;A String&quot;,
      ],
      &quot;bluetoothSharing&quot;: &quot;A String&quot;, # Optional. Whether bluetooth sharing is allowed.
      &quot;cameraDisabled&quot;: True or False, # If true, the camera is disabled on the personal profile.
      &quot;maxDaysWithWorkOff&quot;: 42, # Controls how long the work profile can stay off. The minimum duration must be at least 3 days. Other details are as follows: - If the duration is set to 0, the feature is turned off. - If the duration is set to a value smaller than the minimum duration, the feature returns an error. *Note:* If you want to avoid personal profiles being suspended during long periods of off-time, you can temporarily set a large value for this parameter.
      &quot;personalApplications&quot;: [ # Policy applied to applications in the personal profile.
        { # Policies for apps in the personal profile of a company-owned device with a work profile.
          &quot;installType&quot;: &quot;A String&quot;, # The type of installation to perform.
          &quot;packageName&quot;: &quot;A String&quot;, # The package name of the application.
        },
      ],
      &quot;personalPlayStoreMode&quot;: &quot;A String&quot;, # Used together with personalApplications to control how apps in the personal profile are allowed or blocked.
      &quot;privateSpacePolicy&quot;: &quot;A String&quot;, # Optional. Controls whether a private space is allowed on the device.
      &quot;screenCaptureDisabled&quot;: True or False, # If true, screen capture is disabled for all users.
    },
    &quot;playStoreMode&quot;: &quot;A String&quot;, # This mode controls which apps are available to the user in the Play Store and the behavior on the device when apps are removed from the policy.
    &quot;policyEnforcementRules&quot;: [ # Rules that define the behavior when a particular policy can not be applied on device
      { # A rule that defines the actions to take if a device or work profile is not compliant with the policy specified in settingName. In the case of multiple matching or multiple triggered enforcement rules, a merge will occur with the most severe action being taken. However, all triggered rules are still kept track of: this includes initial trigger time and all associated non-compliance details. In the situation where the most severe enforcement rule is satisfied, the next most appropriate action is applied.
        &quot;blockAction&quot;: { # An action to block access to apps and data on a fully managed device or in a work profile. This action also triggers a device or work profile to displays a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified. # An action to block access to apps and data on a company owned device or in a work profile. This action also triggers a user-facing notification with information (where possible) on how to correct the compliance issue. Note: wipeAction must also be specified.
          &quot;blockAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is blocked. To block access immediately, set to 0. blockAfterDays must be less than wipeAfterDays.
          &quot;blockScope&quot;: &quot;A String&quot;, # Specifies the scope of this BlockAction. Only applicable to devices that are company-owned.
        },
        &quot;settingName&quot;: &quot;A String&quot;, # The top-level policy to enforce. For example, applications or passwordPolicies.
        &quot;wipeAction&quot;: { # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified. # An action to reset a company owned device or delete a work profile. Note: blockAction must also be specified.
          &quot;preserveFrp&quot;: True or False, # Whether the factory-reset protection data is preserved on the device. This setting doesn’t apply to work profiles.
          &quot;wipeAfterDays&quot;: 42, # Number of days the policy is non-compliant before the device or work profile is wiped. wipeAfterDays must be greater than blockAfterDays.
        },
      },
    ],
    &quot;preferentialNetworkService&quot;: &quot;A String&quot;, # Controls whether preferential network service is enabled on the work profile or on fully managed devices. For example, an organization may have an agreement with a carrier that all of the work data from its employees&#x27; devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the enterprise slice on 5G networks. This policy has no effect if preferentialNetworkServiceSettings or ApplicationPolicy.preferentialNetworkId is set on devices running Android 13 or above.
    &quot;printingPolicy&quot;: &quot;A String&quot;, # Optional. Controls whether printing is allowed. This is supported on devices running Android 9 and above. .
    &quot;privateKeySelectionEnabled&quot;: True or False, # Allows showing UI on a device for a user to choose a private key alias if there are no matching rules in ChoosePrivateKeyRules. For devices below Android P, setting this may leave enterprise keys vulnerable. This value will have no effect if any application has CERT_SELECTION delegation scope.
    &quot;recommendedGlobalProxy&quot;: { # Configuration info for an HTTP proxy. For a direct proxy, set the host, port, and excluded_hosts fields. For a PAC script proxy, set the pac_uri field. # The network-independent global HTTP proxy. Typically proxies should be configured per-network in open_network_configuration. However for unusual configurations like general internal filtering a global HTTP proxy may be useful. If the proxy is not accessible, network access may break. The global proxy is only a recommendation and some apps may ignore it.
      &quot;excludedHosts&quot;: [ # For a direct proxy, the hosts for which the proxy is bypassed. The host names may contain wildcards such as *.example.com.
        &quot;A String&quot;,
      ],
      &quot;host&quot;: &quot;A String&quot;, # The host of the direct proxy.
      &quot;pacUri&quot;: &quot;A String&quot;, # The URI of the PAC script used to configure the proxy.
      &quot;port&quot;: 42, # The port of the direct proxy.
    },
    &quot;removeUserDisabled&quot;: True or False, # Whether removing other users is disabled.
    &quot;safeBootDisabled&quot;: True or False, # Whether rebooting the device into safe boot is disabled.
    &quot;screenCaptureDisabled&quot;: True or False, # Whether screen capture is disabled.
    &quot;setUserIconDisabled&quot;: True or False, # Whether changing the user icon is disabled. The setting has effect only on fully managed devices.
    &quot;setWallpaperDisabled&quot;: True or False, # Whether changing the wallpaper is disabled.
    &quot;setupActions&quot;: [ # Action to take during the setup process. At most one action may be specified.
      { # An action executed during setup.
        &quot;description&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Description of this action.
          &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
          &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
        },
        &quot;launchApp&quot;: { # An action to launch an app. # An action to launch an app. The app will be launched with an intent containing an extra with key com.google.android.apps.work.clouddpc.EXTRA_LAUNCHED_AS_SETUP_ACTION set to the boolean value true to indicate that this is a setup action flow. If SetupAction references an app, the corresponding installType in the application policy must be set as REQUIRED_FOR_SETUP or said setup will fail.
          &quot;packageName&quot;: &quot;A String&quot;, # Package name of app to be launched
        },
        &quot;title&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # Title of this action.
          &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
          &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
            &quot;a_key&quot;: &quot;A String&quot;,
          },
        },
      },
    ],
    &quot;shareLocationDisabled&quot;: True or False, # Whether location sharing is disabled. share_location_disabled is supported for both fully managed devices and personally owned work profiles.
    &quot;shortSupportMessage&quot;: { # Provides a user-facing message with locale info. The maximum message length is 4096 characters. # A message displayed to the user in the settings screen wherever functionality has been disabled by the admin. If the message is longer than 200 characters it may be truncated.
      &quot;defaultMessage&quot;: &quot;A String&quot;, # The default message displayed if no localized message is specified or the user&#x27;s locale doesn&#x27;t match with any of the localized messages. A default message must be provided if any localized messages are provided.
      &quot;localizedMessages&quot;: { # A map containing pairs, where locale is a well-formed BCP 47 language (https://www.w3.org/International/articles/language-tags/) code, such as en-US, es-ES, or fr.
        &quot;a_key&quot;: &quot;A String&quot;,
      },
    },
    &quot;skipFirstUseHintsEnabled&quot;: True or False, # Flag to skip hints on the first use. Enterprise admin can enable the system recommendation for apps to skip their user tutorial and other introductory hints on first start-up.
    &quot;smsDisabled&quot;: True or False, # Whether sending and receiving SMS messages is disabled.
    &quot;statusBarDisabled&quot;: True or False, # Whether the status bar is disabled. This disables notifications, quick settings, and other screen overlays that allow escape from full-screen mode. DEPRECATED. To disable the status bar on a kiosk device, use InstallType KIOSK or kioskCustomLauncherEnabled.
    &quot;statusReportingSettings&quot;: { # Settings controlling the behavior of status reports. # Status reporting settings
      &quot;applicationReportingSettings&quot;: { # Settings controlling the behavior of application reports. # Application reporting settings. Only applicable if application_reports_enabled is true.
        &quot;includeRemovedApps&quot;: True or False, # Whether removed apps are included in application reports.
      },
      &quot;applicationReportsEnabled&quot;: True or False, # Whether app reports are enabled.
      &quot;commonCriteriaModeEnabled&quot;: True or False, # Whether Common Criteria Mode reporting is enabled. This is supported only on company-owned devices.
      &quot;defaultApplicationInfoReportingEnabled&quot;: True or False, # Optional. Whether defaultApplicationInfo reporting is enabled.
      &quot;deviceSettingsEnabled&quot;: True or False, # Whether device settings reporting is enabled.
      &quot;displayInfoEnabled&quot;: True or False, # Whether displays reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;hardwareStatusEnabled&quot;: True or False, # Whether hardware status reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;memoryInfoEnabled&quot;: True or False, # Whether memory event reporting is enabled.
      &quot;networkInfoEnabled&quot;: True or False, # Whether network info reporting is enabled.
      &quot;powerManagementEventsEnabled&quot;: True or False, # Whether power management event reporting is enabled. Report data is not available for personally owned devices with work profiles.
      &quot;softwareInfoEnabled&quot;: True or False, # Whether software info reporting is enabled.
      &quot;systemPropertiesEnabled&quot;: True or False, # Whether system properties reporting is enabled.
    },
    &quot;stayOnPluggedModes&quot;: [ # The battery plugged in modes for which the device stays on. When using this setting, it is recommended to clear maximum_time_to_lock so that the device doesn&#x27;t lock itself while it stays on.
      &quot;A String&quot;,
    ],
    &quot;systemUpdate&quot;: { # Configuration for managing system updatesNote: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded but require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details. # The system update policy, which controls how OS updates are applied. If the update type is WINDOWED, the update window will automatically apply to Play app updates as well.Note: Google Play system updates (https://source.android.com/docs/core/ota/modular-system) (also called Mainline updates) are automatically downloaded and require a device reboot to be installed. Refer to the mainline section in Manage system updates (https://developer.android.com/work/dpc/system-updates#mainline) for further details.
      &quot;endMinutes&quot;: 42, # If the type is WINDOWED, the end of the maintenance window, measured as the number of minutes after midnight in device&#x27;s local time. This value must be between 0 and 1439, inclusive. If this value is less than start_minutes, then the maintenance window spans midnight. If the maintenance window specified is smaller than 30 minutes, the actual window is extended to 30 minutes beyond the start time.
      &quot;freezePeriods&quot;: [ # An annually repeating time period in which over-the-air (OTA) system updates are postponed to freeze the OS version running on a device. To prevent freezing the device indefinitely, each freeze period must be separated by at least 60 days.
        { # A system freeze period. When a device’s clock is within the freeze period, all incoming system updates (including security patches) are blocked and won’t be installed.When the device is outside any set freeze periods, the normal policy behavior (automatic, windowed, or postponed) applies.Leap years are ignored in freeze period calculations, in particular: If Feb. 29th is set as the start or end date of a freeze period, the freeze period will start or end on Feb. 28th instead. When a device’s system clock reads Feb. 29th, it’s treated as Feb. 28th. When calculating the number of days in a freeze period or the time between two freeze periods, Feb. 29th is ignored and not counted as a day.Note: For Freeze Periods to take effect, SystemUpdateType cannot be specified as SYSTEM_UPDATE_TYPE_UNSPECIFIED, because freeze periods require a defined policy to be specified.
          &quot;endDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The end date (inclusive) of the freeze period. Must be no later than 90 days from the start date. If the end date is earlier than the start date, the freeze period is considered wrapping year-end. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
          },
          &quot;startDate&quot;: { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: A full date, with non-zero year, month, and day values. A month and day, with a zero year (for example, an anniversary). A year on its own, with a zero month and a zero day. A year and month, with a zero day (for example, a credit card expiration date).Related types: google.type.TimeOfDay google.type.DateTime google.protobuf.Timestamp # The start date (inclusive) of the freeze period. Note: day and month must be set. year should not be set as it is not used. For example, {&quot;month&quot;: 1,&quot;date&quot;: 30}.
            &quot;day&quot;: 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn&#x27;t significant.
            &quot;month&quot;: 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
            &quot;year&quot;: 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
          },
        },
      ],
      &quot;startMinutes&quot;: 42, # If the type is WINDOWED, the start of the maintenance window, measured as the number of minutes after midnight in the device&#x27;s local time. This value must be between 0 and 1439, inclusive.
      &quot;type&quot;: &quot;A String&quot;, # The type of system update to configure.
    },
    &quot;tetheringConfigDisabled&quot;: True or False, # Whether configuring tethering and portable hotspots is disabled. If tetheringSettings is set to anything other than TETHERING_SETTINGS_UNSPECIFIED, this setting is ignored.
    &quot;uninstallAppsDisabled&quot;: True or False, # Whether user uninstallation of applications is disabled. This prevents apps from being uninstalled, even those removed using applications
    &quot;unmuteMicrophoneDisabled&quot;: True or False, # If microphone_access is set to any value other than MICROPHONE_ACCESS_UNSPECIFIED, this has no effect. Otherwise this field controls whether microphones are disabled: If true, all microphones are disabled, otherwise they are available. This is available only on fully managed devices.
    &quot;usageLog&quot;: { # Controls types of device activity logs collected from the device and reported via Pub/Sub notification (https://developers.google.com/android/management/notifications). # Configuration of device activity logging.
      &quot;enabledLogTypes&quot;: [ # Specifies which log types are enabled. Note that users will receive on-device messaging when usage logging is enabled.
        &quot;A String&quot;,
      ],
      &quot;uploadOnCellularAllowed&quot;: [ # Specifies which of the enabled log types can be uploaded over mobile data. By default logs are queued for upload when the device connects to WiFi.
        &quot;A String&quot;,
      ],
    },
    &quot;usbFileTransferDisabled&quot;: True or False, # Whether transferring files over USB is disabled. This is supported only on company-owned devices.
    &quot;usbMassStorageEnabled&quot;: True or False, # Whether USB storage is enabled. Deprecated.
    &quot;version&quot;: &quot;A String&quot;, # The version of the policy. This is a read-only field. The version is incremented each time the policy is updated.
    &quot;vpnConfigDisabled&quot;: True or False, # Whether configuring VPN is disabled.
    &quot;wifiConfigDisabled&quot;: True or False, # Whether configuring Wi-Fi networks is disabled. Supported on fully managed devices and work profiles on company-owned devices. For fully managed devices, setting this to true removes all configured networks and retains only the networks configured using openNetworkConfiguration. For work profiles on company-owned devices, existing configured networks are not affected and the user is not allowed to add, remove, or modify Wi-Fi networks. If configureWifi is set to anything other than CONFIGURE_WIFI_UNSPECIFIED, this setting is ignored. Note: If a network connection can&#x27;t be made at boot time and configuring Wi-Fi is disabled then network escape hatch will be shown in order to refresh the device policy (see networkEscapeHatchEnabled).
    &quot;wifiConfigsLockdownEnabled&quot;: True or False, # This is deprecated.
    &quot;wipeDataFlags&quot;: [ # Optional. Wipe flags to indicate what data is wiped when a device or profile wipe is triggered due to any reason (for example, non-compliance). This does not apply to the enterprises.devices.delete method. . This list must not have duplicates.
      &quot;A String&quot;,
    ],
    &quot;workAccountSetupConfig&quot;: { # Controls the work account setup configuration, such as details of whether a Google authenticated account is required. # Optional. Controls the work account setup configuration, such as details of whether a Google authenticated account is required.
      &quot;authenticationType&quot;: &quot;A String&quot;, # Optional. The authentication type of the user on the device.
      &quot;requiredAccountEmail&quot;: &quot;A String&quot;, # Optional. The specific google work account email address to be added. This field is only relevant if authenticationType is GOOGLE_AUTHENTICATED. This must be an enterprise account and not a consumer account. Once set and a Google authenticated account is added to the device, changing this field will have no effect, and thus recommended to be set only once.
    },
  },
}</pre>
</div>

</body></html>